truemotion1: make sure index does not go out of bounds

Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org

truemotion1: make sure index does not go out of bounds
Fixes invalid reads. Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind CC:libav-stable@libav.org
c918e08b · Anton Khirnov · ce9bba53 · c918e08b
Commit c918e08b authored Nov 15, 2013 by Anton Khirnov
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 8 deletions

truemotion1.c libavcodec/truemotion1.c +17 -8

No files found.
--- a/libavcodec/truemotion1.c
+++ b/libavcodec/truemotion1.c
@@ -515,6 +515,15 @@ hres,vres,i,i%vres (0 < i < 4)
    index = s->index_stream[index_stream_index++] * 4; \
 }

+#define INC_INDEX                                                   \
+do {                                                                \
+    if (index >= 1023) {                                            \
+        av_log(s->avctx, AV_LOG_ERROR, "Invalid index value.\n");   \
+        return;                                                     \
+    }                                                               \
+    index++;                                                        \
+} while (0)
+
 #define APPLY_C_PREDICTOR() \
    predictor_pair = s->c_predictor_table[index]; \
    horiz_pred += (predictor_pair >> 1); \
@@ -527,10 +536,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define APPLY_C_PREDICTOR_24() \
    predictor_pair = s->c_predictor_table[index]; \
@@ -544,10 +553,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;


 #define APPLY_Y_PREDICTOR() \
@@ -562,10 +571,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define APPLY_Y_PREDICTOR_24() \
    predictor_pair = s->y_predictor_table[index]; \
@@ -579,10 +588,10 @@ hres,vres,i,i%vres (0 < i < 4)
            if (predictor_pair & 1) \
                GET_NEXT_INDEX() \
            else \
-                index++; \
+                INC_INDEX; \
        } \
    } else \
-        index++;
+        INC_INDEX;

 #define OUTPUT_PIXEL_PAIR() \
    *current_pixel_pair = *vert_pred + horiz_pred; \